2021-05-29 15:30  阅读(188)
文章分类:Spring Security 源码分析 文章标签:Spring SecuritySpring Security 源码
©  原文作者: 郑龙飞 原文地址:https://juejin.cn/user/4212984285237870

目前常见的社交软件、购物软件、支付软件、理财软件等,均需要用户进行登录才可享受软件提供的服务。目前主流的登录方式主要有 3 种:账号密码登录、短信验证码登录和第三方授权登录。我们已经实现了账号密码和第三方授权登录。本章我们将使用Spring Security实现短信验证码登录。

概述

Spring Security源码分析一:Spring Security认证过程Spring Security源码分析二:Spring Security授权过程两章中。我们已经详细解读过Spring Security如何处理用户名和密码登录。(其实就是过滤器链)本章我们将仿照用户名密码来显示短信登录。

目录结构

202105291530412511.png https://user-gold-cdn.xitu.io/2018/1/14/160f3abd6445be85?w=439&h=248&f=png&s=13161

SmsCodeAuthenticationFilter

SmsCodeAuthenticationFilter对应用户名密码登录的UsernamePasswordAuthenticationFilter同样继承AbstractAuthenticationProcessingFilter

    public class SmsCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    
        /**
         * request中必须含有mobile参数
         */
        private String mobileParameter = SecurityConstants.DEFAULT_PARAMETER_NAME_MOBILE;
        /**
         * post请求
         */
        private boolean postOnly = true;
    
        protected SmsCodeAuthenticationFilter() {
            /**
             * 处理的手机验证码登录请求处理url
             */
            super(new AntPathRequestMatcher(SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_MOBILE, "POST"));
        }
    
        @Override
        public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
            //判断是是不是post请求
            if (postOnly && !request.getMethod().equals("POST")) {
                throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
            }
            //从请求中获取手机号码
            String mobile = obtainMobile(request);
    
            if (mobile == null) {
                mobile = "";
            }
    
            mobile = mobile.trim();
            //创建SmsCodeAuthenticationToken(未认证)
            SmsCodeAuthenticationToken authRequest = new SmsCodeAuthenticationToken(mobile);
    
            //设置用户信息
            setDetails(request, authRequest);
            //返回Authentication实例
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    
        /**
         * 获取手机号
         */
        protected String obtainMobile(HttpServletRequest request) {
            return request.getParameter(mobileParameter);
        }
    
        protected void setDetails(HttpServletRequest request, SmsCodeAuthenticationToken authRequest) {
            authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
        }
    
        public void setMobileParameter(String usernameParameter) {
            Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
            this.mobileParameter = usernameParameter;
        }
    
        public void setPostOnly(boolean postOnly) {
            this.postOnly = postOnly;
        }
    
        public final String getMobileParameter() {
            return mobileParameter;
        }
    }
    复制代码
  1. 认证请求的方法必须为POST
  2. 从request中获取手机号
  3. 封装成自己的Authenticaiton的实现类SmsCodeAuthenticationToken(未认证)
  4. 调用 AuthenticationManagerauthenticate 方法进行验证(即SmsCodeAuthenticationProvider

SmsCodeAuthenticationToken

SmsCodeAuthenticationToken对应用户名密码登录的UsernamePasswordAuthenticationToken

    public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
        private static final long serialVersionUID = 2383092775910246006L;
    
        /**
         * 手机号
         */
        private final Object principal;
    
        /**
         * SmsCodeAuthenticationFilter中构建的未认证的Authentication
         * @param mobile
         */
        public SmsCodeAuthenticationToken(String mobile) {
            super(null);
            this.principal = mobile;
            setAuthenticated(false);
        }
    
        /**
         * SmsCodeAuthenticationProvider中构建已认证的Authentication
         * @param principal
         * @param authorities
         */
        public SmsCodeAuthenticationToken(Object principal,
                                          Collection<? extends GrantedAuthority> authorities) {
            super(authorities);
            this.principal = principal;
            super.setAuthenticated(true); // must use super, as we override
        }
    
        @Override
        public Object getCredentials() {
            return null;
        }
    
        @Override
        public Object getPrincipal() {
            return this.principal;
        }
    
        /**
         * @param isAuthenticated
         * @throws IllegalArgumentException
         */
        public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
            if (isAuthenticated) {
                throw new IllegalArgumentException(
                        "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
            }
    
            super.setAuthenticated(false);
        }
    
        @Override
        public void eraseCredentials() {
            super.eraseCredentials();
        }
    }
    复制代码

SmsCodeAuthenticationProvider

SmsCodeAuthenticationProvider对应用户名密码登录的DaoAuthenticationProvider

    public class SmsCodeAuthenticationProvider implements AuthenticationProvider {
    
        private UserDetailsService userDetailsService;
    
        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            SmsCodeAuthenticationToken authenticationToken = (SmsCodeAuthenticationToken) authentication;
            //调用自定义的userDetailsService认证
            UserDetails user = userDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
    
            if (user == null) {
                throw new InternalAuthenticationServiceException("无法获取用户信息");
            }
            //如果user不为空重新构建SmsCodeAuthenticationToken(已认证)
            SmsCodeAuthenticationToken authenticationResult = new SmsCodeAuthenticationToken(user, user.getAuthorities());
    
            authenticationResult.setDetails(authenticationToken.getDetails());
    
            return authenticationResult;
        }
    	
    	/**
         * 只有Authentication为SmsCodeAuthenticationToken使用此Provider认证
         * @param authentication
         * @return
         */
        @Override
        public boolean supports(Class<?> authentication) {
            return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
        }
    
        public UserDetailsService getUserDetailsService() {
            return userDetailsService;
        }
    
        public void setUserDetailsService(UserDetailsService userDetailsService) {
            this.userDetailsService = userDetailsService;
        }
    }
    复制代码

SmsCodeAuthenticationSecurityConfig短信登录配置

    @Component
    public class SmsCodeAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
    
        @Autowired
        private AuthenticationFailureHandler merryyouAuthenticationFailureHandler;
    
        @Autowired
        private UserDetailsService userDetailsService;
    
        @Override
        public void configure(HttpSecurity http) throws Exception {
            //自定义SmsCodeAuthenticationFilter过滤器
            SmsCodeAuthenticationFilter smsCodeAuthenticationFilter = new SmsCodeAuthenticationFilter();
            smsCodeAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
            smsCodeAuthenticationFilter.setAuthenticationFailureHandler(merryyouAuthenticationFailureHandler);
    
            //设置自定义SmsCodeAuthenticationProvider的认证器userDetailsService
            SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
            smsCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
            //在UsernamePasswordAuthenticationFilter过滤前执行
            http.authenticationProvider(smsCodeAuthenticationProvider)
                    .addFilterAfter(smsCodeAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        }
    }
    
    复制代码

MerryyouSecurityConfig 主配置文件

     @Override
        protected void configure(HttpSecurity http) throws Exception {
    //        http.addFilterBefore(validateCodeFilter, UsernamePasswordAuthenticationFilter.class)
            http
                    .formLogin()//使用表单登录,不再使用默认httpBasic方式
                    .loginPage(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)//如果请求的URL需要认证则跳转的URL
                    .loginProcessingUrl(SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM)//处理表单中自定义的登录URL
                    .and()
                    .apply(validateCodeSecurityConfig)//验证码拦截
                    .and()
                    .apply(smsCodeAuthenticationSecurityConfig)
                    .and()
                    .apply(merryyouSpringSocialConfigurer)//社交登录
                    .and()
                    .rememberMe()
    ......
    复制代码

调试过程

短信登录拦截请求/authentication/mobile

202105291530414542.png https://user-gold-cdn.xitu.io/2018/1/14/160f3abd6467cddd?w=1364&h=735&f=png&s=302724

自定义SmsCodeAuthenticationProvider

202105291530445383.png https://user-gold-cdn.xitu.io/2018/1/14/160f3abd63fdfb98?w=917&h=708&f=png&s=238342

效果如下:

202105291530459844.png https://user-gold-cdn.xitu.io/2018/1/14/160f3abd5b178799?w=1346&h=655&f=gif&s=2641171

代码下载

从我的 github 中下载,github.com/longfeizhen…

点赞(0)
版权归原创作者所有,任何形式转载请联系作者; Java 技术驿站 >> Spring Security源码分析五:Spring Security实现短信登录
上一篇
Spring Security源码分析四:Spring Social实现微信社交登录
下一篇
Spring Security源码分析六:Spring Social社交登录源码解析